Last week, I discussed how virtual machines (VMs) might become standard on computers. As a brief recap, virtualization technology could provide an effective way to ensure the integrity of desktop computers, particularly because it makes restoring a compromised system quick and easy: Simply shut down the VM and relaunch it.
If you consider implementing this type of solution, you should also consider running different OSs on the under- and overlying systems. Doing so will probably improve overall security more than if you, say, run a Windows-based VM (typically called the guest OS) on top of another Windows-based OS (typically called the host OS). Exploiting the vulnerabilities of two OSs and their related applications is more difficult than compromising one.
You could, for example, run some variety of Linux or BSD or possibly Mac OS X or Solaris as the host OS and run Windows as a VM. This way, if an intruder is able to compromise Windows, you can quickly clean up that problem; in order to compromise the entire system, the intruder would need to know which OS runs as the host underneath Windows and be able to exploit that OS too. Of course, the downside of this approach is that you'd have two OSs to maintain, plus the expense of licensing the host OS if you don't use an open source OS.
Last week, I mentioned Microsoft Virtual Server 2005 R2, VMware, and Parallels Workstation as virtualization solutions. Serenity Virtual Station (SVISTA) from Serenity System International allows both Linux and FreeBSD as host OSs and can run Windows, Linux, and Serenity's eComStation as guest OSs.
Finally, another virtualization solution that I didn't mention last week is called virtual private servers (VPSs). Don't mistake VPSs for VMs--there are important differences. In short, VPS technology doesn't let you mix different host and guest OSs. True VMs work at the hardware level, whereas VPS technology works at the software level to create an isolated environment that uses the OS. So for example, if you use VPS technology on a Windows XP system, each VPS you create on that system will be based on that single installed copy of XP.
If you think you might be interested in VPS technology, have a look at Virtuozzo from SWsoft (first URL below), which runs on Windows and Linux. If you use Solaris, you might know that it has VPS support built in. Other VPS solutions are also available for Linux via the Linux-Vserver Web site (at the second URL below) and BSD via BSD jails (which you can learn about at the third URL below).
Virtualization technology goes a long way towards building better security and can help protect users from themselves. Another way to help end users improve company security is to train them.
Last week, CompTIA said that based on a recent survey of 574 companies, human error was responsible for 60 percent of information security breaches experienced over the last year. Yet only 36 percent of the surveyed companies offer end-user training!
It is glaringly apparent that end users need training to help raise their security awareness. I seriously doubt that any combination of technologies could reasonably replace thorough education. Chances are great that if more end users received security-related training, security breaches could be significantly reduced. This of course saves time and money and helps protect your business at all levels, including its important public image.
Although some aspects of end-user training need to be tailored to fit your particular business, many aspects can be generalized to fit nearly any business that uses Microsoft products. I'll see if I can dig up some useful training resources that might help you review or augment your existing training or develop new training if you don't have any in place. Look for this information in an upcoming edition of this newsletter.